[sr #107520] GnuTLS: certtool accepts invalid DSA modulus sizes

Jeffrey Walton INVALID.NOREPLY at gnu.org
Tue Nov 16 13:39:23 CET 2010


URL:
  <http://savannah.gnu.org/support/?107520>

                 Summary: GnuTLS: certtool accepts invalid DSA modulus sizes 
                 Project: GnuTLS
            Submitted by: noloader
            Submitted on: Tue 16 Nov 2010 12:39:23 PM GMT
                Category: None
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: None

    _______________________________________________________

Details:

According to FIPS 186 version 1 and 2, a DSA modulus must be between 512 and
1024 in steps of 64 (512, 576, 640, ..., 960, 1024). See section 4, DSA
PARAMETERS, of http://csrc.nist.gov/publications/fips/fips1861.pdf and
http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf.

In addition, at version 2, only moduli of 1024 bits were recommended.

At FIPS 186 version 3, moduli of 1024 or higher are required. See
http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf.

Below, certtool is creating a dsa key with 513 bits without error (not a
multiple of 64 bits) nor warning (less than 1024 bits).

$ certtool --dsa --generate-privkey --pkcs8 --outder --bits 513 --outfile
dsa-gnutls.der
Generating a 513 bit DSA private key...
Enter password: 
Confirm password:
$

===================

$ uname -a
Linux studio 2.6.32-25-generic #45-Ubuntu SMP Sat Oct 16 19:52:42 UTC 2010
x86_64 GNU/Linux
$ certtool --version
certtool (GnuTLS) 2.8.5
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>.
...





    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107520>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/





More information about the Gnutls-devel mailing list